Overfitting or perfect fitting? Risk bounds for classification and regression rules that interpolate
Mikhail Belkin Daniel Hsu Partha P. Mitra The Ohio State University Columbia University Cold Spring Harbor Laboratory
Abstract
Many modern machine learning models are trained to achieve zero or near-zero training error in order to obtain near-optimal (but non-zero) test error. This phe- nomenon of strong generalization performance for “overfitted” / interpolated clas- sifiers appears to be ubiquitous in high-dimensional data, having been observed in deep networks, kernel machines, boosting and random forests. Their performance is consistently robust even when the data contain large amounts of label noise. Very little theory is available to explain these observations. The vast majority of theoretical analyses of generalization allows for interpolation only when there is little or no label noise. This paper takes a step toward a theoretical foundation for interpolated classifiers by analyzing local interpolating schemes, including geometric simplicial interpolation algorithm and singularly weighted k-nearest neighbor schemes. Consistency or near-consistency is proved for these schemes in classification and regression problems. Moreover, the nearest neighbor schemes exhibit optimal rates under some standard statistical assumptions. Finally, this paper suggests a way to explain the phenomenon of adversarial ex- amples, which are seemingly ubiquitous in modern machine learning, and also discusses some connections to kernel machines and random forests in the interpo- lated regime.
1 Introduction
The central problem of supervised inference is to predict labels of unseen data points from a set of labeled training data. The literature on this subject is vast, ranging from classical parametric and non-parametric statistics [48, 49] to more recent machine learning methods, such as kernel machines [39], boosting [36], random forests [15], and deep neural networks [25]. There is a wealth of theoretical analyses for these methods based on a spectrum of techniques including non- parametric estimation [46], capacity control such as VC-dimension or Rademacher complexity [40], and regularization theory [42]. In nearly all of these results, theoretical analysis of generalization requires “what you see is what you get” setup, where prediction performance on unseen test data is close to the performance on the training data, achieved by carefully managing the bias-variance trade-off. Furthermore, it is widely accepted in the literature that interpolation has poor statistical properties and should be dismissed out-of-hand. For example, in their book on non-parametric statistics, Györfi et al. [26, page 21] say that a certain procedure “may lead to a function which interpolates the data and hence is not a reasonable estimate”. Yet, this is not how many modern machine learning methods are used in practice. For instance, the best practice for training deep neural networks is to first perfectly fit the training data [35]. The resulting (zero training loss) neural networks after this first step can already have good performance on test data [53]. Similar observations about models that perfectly fit training data have been
E-mail: [email protected], [email protected], [email protected]
32nd Conference on Neural Information Processing Systems (NeurIPS 2018), Montréal, Canada. made for other machine learning methods, including boosting [37], random forests [19], and kernel machines [12]. These methods return good classifiers even when the training data have high levels of label noise [12, 51, 53]. An important effort to show that fitting the training data exactly can under certain conditions be theoretically justified is the margins theory for boosting [37] and other margin-based methods [6, 24, 28, 29, 34]. However, this theory lacks explanatory power for the performance of classifiers that perfectly fit noisy labels, when it is known that no margin is present in the data [12, 51]. Moreover, margins theory does not apply to regression and to functions (for regression or classification) that interpolate the data in the classical sense [12]. In this paper, we identify the challenge of providing a rigorous understanding of generalization in machine learning models that interpolate training data. We take first steps towards such a theory by proposing and analyzing interpolating methods for classification and regression with non-trivial risk and consistency guarantees.
Related work. Many existing forms of generalization analyses face significant analytical and conceptual barriers to being able to explain the success of interpolating methods.
Capacity control. Existing capacity-based bounds (e.g., VC dimension, fat-shattering dimension, Rademacher complexity) for empirical risk minimization [3, 4, 7, 28, 37] do not give useful risk bounds for functions with zero empirical risk whenever there is non-negligible label noise. This is because function classes rich enough to perfectly fit noisy training labels generally have capacity measures that grow quickly with the number of training data, at least with the existing notions of capacity [12]. Note that since the training risk is zero for the functions of interest, the generalization bound must bound their true risk, as it equals the generalization gap (difference between the true and empirical risk). Whether such capacity-based generalization bounds exist is open for debate. Stability. Generalization analyses based on algorithmic stability [8, 14] control the difference between the true risk and the training risk, assuming bounded sensitivity of an algorithm’s output to small changes in training data. Like standard uses of capacity-based bounds, these approaches are not well-suited to settings when training risk is identically zero but true risk is non-zero. Regularization. Many analyses are available for regularization approaches to statistical inverse problems, ranging from Tikhonov regularization to early stopping [9, 16, 42, 52]. To obtain a risk bound, these analyses require the regularization parameter � (or some analogous quantity) to approach zero as the number of data n tends to infinity. However, to get (the minimum norm) interpolation, we need � 0 while n is fixed, causing the bounds to diverge. ! Smoothing. There is an extensive literature on local prediction rules in non-parametric statistics [46, 49]. Nearly all of these analyses require local smoothing (to explicitly balance bias and variance) and thus do not apply to interpolation. (Two exceptions are discussed below.)
Recently, Wyner et al. [51] proposed a thought-provoking explanation for the performance of Ad- aBoost and random forests in the interpolation regime, based on ideas related to “self-averaging” and localization. However, a theoretical basis for these ideas is not developed in their work. There are two important exceptions to the aforementioned discussion of non-parametric methods. First, the nearest neighbor rule (also called 1-nearest neighbor, in the context of the general family of k-nearest neighbor rules) is a well-known interpolating classification method, though it is not generally consistent for classification (and is not useful for regression when there is significant amount of label noise). Nevertheless, its asymptotic risk can be shown to be bounded above by twice the Bayes risk [18].1 A second important (though perhaps less well-known) exception is the non-parametric smoothing method of Devroye et al. [21] based on a singular kernel called the Hilbert kernel (which is related to Shepard’s method [41]). The resulting estimate of the regression function interpolates the training data, yet is proved to be consistent for classification and regression. The analyses of the nearest neighbor rule and Hilbert kernel regression estimate are not based on bounding generalization gap, the difference between the true risk and the empirical risk. Rather, the true risk is analyzed directly by exploiting locality properties of the prediction rules. In particular, the
1More precisely, the expected risk of the nearest neighbor rule converges to E[2⌘(X)(1 ⌘(X))], where ⌘ � is the regression function; this quantity can be bounded above by 2R⇤(1 R⇤), where R⇤ is the Bayes risk. �
2 prediction at a point depends primarily or entirely on the values of the function at nearby points. This inductive bias favors functions where local information in a neighborhood can be aggregated to give an accurate representation of the underlying regression function.
What we do. Our approach to understanding the generalization properties of interpolation methods is to understand and isolate the key properties of local classification, particularly the nearest neighbor rule. First, we construct and analyze an interpolating function based on multivariate triangulation and linear interpolation on each simplex (Section 3), which results in a geometrically intuitive and theoretically tractable prediction rule. Like nearest neighbor, this method is not statistically consistent, but, unlike nearest neighbor, its asymptotic risk approaches the Bayes risk as the dimension becomes large, even when the Bayes risk is far from zero—a kind of “blessing of dimensionality”2. Moreover, under an additional margin condition the difference between the Bayes risk and our classifier is exponentially small in the dimension. A similar finding holds for regression, as the method is nearly consistent when the dimension is high. Next, we propose a weighted & interpolated nearest neighbor (wiNN) scheme based on singular weight functions (Section 4). The resulting function is somewhat less natural than that obtained by simplicial interpolation, but like the Hilbert kernel regression estimate, the prediction rule is statistically consistent in any dimension. Interestingly, conditions on the weights to ensure consistency become less restrictive in higher dimension—another “blessing of dimensionality”. Our analysis provides the first known non-asymptotic rates of convergence to the Bayes risk for an interpolated predictor, as well as tighter bounds under margin conditions for classification. In fact, the rate achieved by wiNN regression is statistically optimal under a standard minimax setting3. Our results also suggest an explanation for the phenomenon of adversarial examples [44], which are seemingly ubiquitous in modern machine learning. In Section 5, we argue that interpolation inevitably results in adversarial examples in the presence of any amount of label noise. When these schemes are consistent or nearly consistent, the set of adversarial examples (where the interpolating classifier disagrees with the Bayes optimal) has small measure but is asymptotically dense. Our analysis is consistent with the empirical observations that such examples are difficult to find by random sampling [22], but are easily discovered using targeted optimization procedures, such as Projected Gradient Descent [30]. Finally, we discuss the difference between direct and inverse interpolation schemes; and make some connections to kernel machines, and random forests in (Section 6). Proofs of the main results, along with an informal discussion of some connections to graph-based semi-supervised learning, are given in the full version of the paper [11] on arXiv.4
2 Preliminaries
The goal of regression and classification is to construct a predictor fˆ given labeled training data d (x1,y1),...,(xn,yn) R R, that performs well on unseen test data, which are typically assumed to be sampled from the2 same⇥ distribution as the training data. In this work, we focus on interpolating methods that construct predictors fˆ satisfying fˆ(xi)=yi for all i =1,...,n. Algorithms that perfectly fit training data are not common in statistical and machine learning literature. The prominent exception is the nearest neighbor rule, which is among of the oldest and best- understood classification methods. Given a training set of labeled example, the nearest neighbor rule predicts the label of a new point x to be the same as that of the nearest point to x within the training d set. Mathematically, the predicted label of x R is yi, where i arg mini =1,...,n x xi . (Here, 2 2 0 k � 0 k always denotes the Euclidean norm.) As discussed above, the classification risk of the nearest neighbork·k rule is asymptotically bounded by twice the Bayes (optimal) risk [18]. The nearest neighbor
2This does not remove the usual curse of dimensionality, which is similar to the standard analyses of k-NN and other non-parametric methods. 3An earlier version of this article paper contained a bound with a worse rate of convergence based on a loose analysis. The subsequent work [13] found that a different Nadaraya-Watson kernel regression estimate (with a singular kernel) could achieve the optimal convergence rate; this inspired us to seek a tighter analysis of our wiNN scheme. 4https://arxiv.org/abs/1806.05161
3 rule provides an important intuition that such classifiers can (and perhaps should) be constructed using local information in the feature space. In this paper, we analyze two interpolating schemes, one based on triangulating and constructing the simplicial interpolant for the data, and another, based on weighted nearest neighbors with singular weight function.
2.1 Statistical model and notations
d We assume (X1,Y1),...,(Xn,Yn), (X, Y ) are iid labeled examples from R [0, 1]. Here, n ⇥ ((Xi,Yi))i=1 are the iid training data, and (X, Y ) is an independent test example from the same distribution. Let µ denote the marginal distribution of X, with support denoted by supp(µ); and let ⌘ : Rd R denote the conditional mean of Y given X, i.e., the function given by ! ⌘(x) := E(Y X = x). For (binary) classification, we assume the range of Y is 0, 1 | d { } (so ⌘(x)=P(Y =1 X = x)), and we let f ⇤ : R 0, 1 denote the Bayes opti- | !{ } mal classifier, which is defined by f ⇤(x) := 1 ⌘(x)>1/2 . This classifier minimizes the risk 1 { } 0/1(f) := E[ f(X)=Y ]=P(f(X) = Y ) under zero-one loss, while the conditional mean R { 6 } 6 2 function ⌘ minimizes the risk sq(g) := E[(g(X) Y ) ] under squared loss. R � The goal of our analyses will be to establish excess risk bounds for empirical predictors (fˆand ⌘ˆ, based on training data) in terms of their agreement with f ⇤ for classification and with ⌘ for regression. For ˆ ˆ classification, the expected risk can be bounded as E[ 0/1(f)] 0/1(f ⇤)+P(f(X) = f ⇤(X)), R R 6 while for regression, the expected mean squared error is precisely E[ sq(ˆ⌘(X))] = sq(⌘)+ 2 ˆ R R 2 E[(ˆ⌘(X) ⌘(X) ]. Our analyses thus mostly focus on P(f(X) = f ⇤(X)) and E[(ˆ⌘(X) ⌘(X)) ] (where the� probability and expectations are with respect to both the6 training data and the test� example).
2.2 Smoothness, margin, and regularity conditions Below we list some standard conditions needed for further development.
↵ (A,↵)-smoothness (Hölder). For all x, x0 in the support of µ, ⌘(x) ⌘(x0) A x x0 . | � | ·k � k (B,�)-margin condition [31, 45]. For all t 0, µ( x Rd : ⌘(x) 1/2 t ) B t�. � { 2 | � | } · h-hard margin condition [32]. For all x in the support of µ, ⌘(x) 1/2 h>0. | � |� (c ,r )-regularity [5]. For all 0 The regularity condition from Audibert and Tsybakov [5] is not very restrictive. For example, if supp(µ)=B(0, 1), then c 1/2 and r 1. 0 ⇡ 0 � Uniform distribution condition. In what follows, we mostly assume uniform marginal distribution µ over a certain domain. This is done for the sake of simplicity and is not an essential condition. For example, in every statement the uniform measure can be substituted (with a potential change of constants) by an arbitrary measure with density bounded from below. 3 Interpolating scheme based on multivariate triangulation In this section, we describe and analyze an interpolating scheme based on multivariate triangulation. Our main interest in this scheme is in its natural geometric properties and the risk bounds for regression and classification which compare favorably to those of the original nearest neighbor rule (despite the fact that neither is statistically consistent in general). 3.1 Definition and basic properties d n d We define an interpolating function ⌘ˆ: R R based on training data ((xi,yi))i=1 from R R and a (multivariate) triangulation scheme T . This! function is simplicial interpolation [20, 27]. We⇥ assume d without loss of generality that the (unlabeled) examples x1,...,xn span R . The triangulation 4 scheme T partitions the convex hull C := conv(x1,...,xn) of the unlabeled examples into non- degenerate simplices5 with vertices at the unlabeled examples; these simplices intersect only at 3.2 Mean squared error We first illustrate the behavior of simplicial interpolation in a simple regression setting. Here, d (X1,Y1),...,(Xn,Yn), (X, Y ) are iid labeled examples from R [0, 1]. For simplicity, we assume ⇥ that µ is the uniform distribution on a full-dimensional compact and convex subset of Rd. In general, each Yi may deviate from its conditional mean ⌘(Xi) by a non-negligible amount, and hence any function that interpolates the training data is “fitting noise”. Nevertheless, in high dimension, the mean squared error of such a function will be quite close to that of the (optimal) conditional mean function. d 5We say a simplex in R is non-degenerate if it has non-zero d-dimensional Lebesgue measure. 6Of course, some points x have more than one containing simplex; we will see that the ambiguity in defining UT (x) and LT (x) for such points is not important. 5 Theorem 3.2. Assume µ is the uniform distribution on a full-dimensional compact and convex subset of Rd; ⌘ satisfies the (A,↵)-smoothness condition; and the conditional variance function x ˆ 7! var(Y X = x) satisfies the (A0,↵0)-smoothness condition. Let �T :=supx C diam(conv(UT (x))) | 2 denote the maximum diameter of any simplex in the triangulation T derived from X1,...,Xn. Then b 1 2 2 2 d 2 ˆ2↵ ˆ↵0 2 E[(ˆ⌘(X) ⌘(X)) ] E[µ(R C)] + A E[� ]+ A0E[� ]+ E[(Y ⌘(X)) ]. � 4 \ T d +2 T d +2 � Corollary 3.3. In addition to the assumptionsb in Theorem 3.2, assume supp(µ) is a simple polytope d 2 in R and T is constructed using Delaunay triangulation. Then lim supn E[(ˆ⌘(X) ⌘(X)) ] 2 2 !1 � E[(Y ⌘(X)) ]. d+2 � 3.3 Classification risk ˆ We now analyze the statistical risk of the plug-in classifier based on ⌘ˆ, given by f(x) := 1 ⌘ˆ(x)>1/2 . As in Section 3.2, we assume that µ is the uniform distribution on a full-dimensional compact{ and} convex subset of Rd. We first observe that under the same conditions as Corollary 3.3, the asymptotic excess risk of fˆ is O(1/pd). Moreover, when the conditional mean function satisfies a margin condition, this 1/pd can be replaced with a quantity that is exponentially small in d, as we show next. Theorem 3.4. Suppose ⌘ satisfies the h-hard margin condition. As above, assume µ is the uniform distribution on a simple polytope in Rd, and T is constructed using Delaunay triangulation. Further- more, assume ⌘ is Lipschitz away from the class boundary (i.e., on x supp(µ) : ⌘(x) 1/2 > 0 ) and that the class boundary @ has finite d 1-dimensional volume7{. Then,2 for some| absolute� constants| } � ˆ c2d c1,c2 > 0 (which may depend on h), lim supn E[ 0/1(f)] 0/1(f ⇤) (1 + c1e� ). !1 R R · Remark 3.5. The asymptotic risk bounds show that the risk of fˆcan be very close to the Bayes risk in high dimensions, thus exhibiting a certain “blessing of dimensionality". This stands in contrast to the nearest neighbor rule, whose asymptotic risk does not diminish with the dimension and is bounded by twice the Bayes risk, 2 (f ⇤). R0/1 4 Interpolating nearest neighbor schemes In this section, we describe a weighted nearest neighbor scheme that, like the 1-nearest neighbor rule, interpolates the training data, but is similar to the classical (unweighted) k-nearest neighbor rule in terms of other properties, including convergence and consistency. (The classical k-nearest neighbor rule is not generally an interpolating method except when k =1.) 4.1 Weighted & interpolated nearest neighbors d n For a given x R , let x(i) be the i-th nearest neighbor of x among the training data ((xi,yi))i=1 d 2 d d from R R, and let y(i) be the corresponding label. Let w(x, z) be a function R R R.A weighted⇥ nearest neighbor scheme is simply a function of the form ⇥ ! k i=1 w(x, x(i))y(i) ⌘ˆ(x) := k . P i=1 w(x, x(i)) In what follows, we investigate the propertiesP of interpolating schemes of this type. We will need two key observations for the analyses of these algorithms. Conditional independence. The first key observation is that, under the usual iid sampling assump- tions on the data, the first k nearest neighbors of x are conditionally independent given X(k+1). k 8 That implies that i=1 w(x, X(i))Y(i) is a sum of conditionally iid random variables . Hence, under a mild condition on w(x, X ), we expect them to concentrate around their expected value. P (i) 7 I.e., lim✏ 0 µ(@ +B(0,✏)) = 0, where “+” denotes the Minkowski sum, i.e., the ✏-neighborhood of @. ! 8Note that these variables are not independent in the ordering given by the distance to x, but a random permutation makes them independent. 6 Assuming some smoothness of ⌘, that value is closely related to ⌘(x)=E(Y X = x), thus allowing us to establish bounds and rates. | Interpolation and singular weight functions. The second key point is that ⌘ˆ(x) is an interpolating scheme, provided that w(x, z) has a singularity when z = x. Indeed, it is easily seen that if limz x w(x, z)= , then limx xi ⌘ˆ(x)=yi. Extending ⌘ˆ continuously to the data points yields! a weighted &1 interpolated nearest! neighbor (wiNN) scheme. We restrict attention to singular weight functions of the following radial type. Fix a positive integer k and a decreasing function �: R+ R+ with a singularity at zero, �(0) = + . We take ! 1 x z w(x, z) := � k � k . x x k � (k+1)k! � Concretely, we will consider � that diverge near t =0as t log(t) or t t� , �>0. 7! � 7! Remark 4.1. The denominator x x(k+1) in the argument of � is not strictly necessary, but it allows for convenient normalizationk � in view ofk the conditional independence of k-nearest neighbors given x(k+1). Note that the weights depend on the sample and are thus data-adaptive. Remark 4.2. Although w(x, x(i)) are unbounded for singular weight functions, concentration only requires certain bounded moments. Geometrically, the volume of the region around the singularity needs to be small enough. For radial weight functions that we consider, this condition is more easily satisfied in high dimension. Indeed, the volume around the singularity becomes exponentially small in high dimension. Our wiNN schemes are related to Nadaraya-Watson kernel regression [33, 50]. The use of singular kernels in the context of interpolation was originally proposed by Shepard [41]; they do not appear to be commonly used in machine learning and statistics, perhaps due to a view that interpolating schemes are unlikely to generalize or even be consistent; the non-adaptive Hilbert kernel regression estimate [21] (essentially, k = n and � = d) is the only exception we know of. 4.2 Mean squared error We first state a risk bound for wiNN schemes in a regression setting. Here, d (X1,Y1),...,(Xn,Yn), (X, Y ) are iid labeled examples from R R. ⇥ Theorem 4.3. Let ⌘ˆ be a wiNN scheme with singular weight function �. Assume the following: d 1. µ is the uniform distribution on a compact subset of R and satisfies the (c0,r0) regularity condition for some c0 > 0 and r0 > 0. 2. ⌘ satisfies the (A,↵)-smoothness for some A>0 and ↵>0. � 3. �(t)=t� for some 0 <� Let Z := �(supp(µ))/�(B(0, 1)), and assume n>2Z k/(c rd). For any x supp(µ), let 0 0 0 0 0 2 rk+1,n(x0) be the distance from x0 to its (k + 1)st nearest neighbor among X1,...,Xn. Then 2 2 2↵ 2 k/4 d E (ˆ⌘(X) ⌘(X)) A E[rk+1,n(X) ]+¯� ke� + , � c0(d 2�)k ⇣ � ⌘ 2 ⇥ ⇤ 2 where �¯ :=supx supp(µ) E[(Y ⌘(x)) X = x]. 2 � | The bound in Theorem 4.3 is stated in terms of the expected distance to the (k + 1)st nearest neighbor raised to the 2↵ power; this is typically bounded by O((k/n)2↵/d). Choosing k = n2↵/(2↵+d) leads 2↵/(2↵+d) to a convergence rate of n� , which is minimax optimal. 4.3 Classification risk ˆ We now analyze the statistical risk of the plug-in classifier f(x)=1 ⌘ˆ(x)>1/2 based on ⌘ˆ. { } As in Section 3.3, it is straigtforward obtain a risk bound for fˆ under the same conditions as 2↵/(2↵+d) ↵/(2↵+d) Theorem 4.3. Choosing k = n leads to a convergence rate of n� . 7 We now give a more direct analysis, largely based on that of Chaudhuri and Dasgupta [17] for the standard k-nearest neighbor rule, that leads to improved rates under favorable conditions. Our most general theorem along these lines is a bit lengthy to state, and hence we defer it to the full version of the paper. But a simple corollary is as follows. Corollary 4.4. Let ⌘ˆ be a wiNN scheme with singular weight function �, and let fˆbe the correspond- ing plug-in classifier. Assume the following: d 1. µ is the uniform distribution on a compact subset of R and satisfies the (c0,r0) regularity condition for some c0 > 0 and r0 > 0. 2. ⌘ satisfies the (A,↵)-smoothness and (B,�)-margin conditions for some A>0, ↵>0, B>0, � 0. � � 3. �(t)=t� for some 0 <� Let Z := �(supp(µ))/�(B(0, 1)), and assume k/n < p c rd/Z . Then for any 0 <�<1/2, 0 0 0 0 ↵/d � 2 ˆ Z0p np k d P(f(X) = f ⇤(X)) B � + A +exp 1 + . 6 c � 2 � np 4k�2c (d 2�) ✓ 0 ◆ ! ✓ ◆ ! 0 � Remark 4.5. For consistency, we set k := n(2+�)↵/((2+�)↵+d), and in the bound, we plug-in ↵/d ↵�/(↵(2+�)+d) p :=2k/n and � := A(Z0p/c0) . This leads to a convergence rate of n� . Remark 4.6. The factor 1/k in the final term in Corollary 4.4 results from an application of Chebyshev inequality. Under additional moment conditions, which are satisfied for certain functions � (e.g., � ⌦(�2k) �(t)= log(t)) with better-behaved singularity at zero than t� , it can be replaced by e� . � � Additionally, while the condition �(t)=t� is convenient for analysis, it is sufficient to assume that � � approaches infinity no faster than t� . 5 Ubiquity of adversarial examples in interpolated learning The recently observed phenomenon of adversarial examples [44] in modern machine learning has drawn a significant degree of interest. It turns out that by introducing a small perturbation to the features of a correctly classified example (e.g., by changing an image in a visually imperceptible way or even by modifying a single pixel [43]) it is nearly always possible to induce neural networks to mis-classify a given input in a seemingly arbitrary and often bewildering way. We will now discuss how our analyses, showing that Bayes optimality is compatible with interpolating the data, provide a possible mechanism for these adversarial examples to arise. Indeed, such examples are seemingly unavoidable in interpolated learning and, thus, in much of the modern practice. As we show below, any interpolating inferential procedure must have abundant adversarial examples in the presence of any amount of label noise. In particular, in consistent on nearly consistent schemes, like those considered in this paper, while the predictor agrees with the Bayes classifier on the bulk of the probability distribution, every “incorrectly labeled” training example (i.e., an example whose label is different from the output of the Bayes optimal classifier) has a small “basin of attraction” with every point in the basin misclassified by the predictor. The total probability mass of these “adversarial” basins is negligible given enough training data, so that a probability of misclassifying a randomly chosen point is low. However, assuming non-zero label noise, the union of these adversarial basins asymptotically is a dense subset of the support for the underlying probability measure and hence there are misclassified examples in every open set. This is indeed consistent with the extensive empirical evidence for neural networks. While their output is observed to be robust to random feature noise [22], adversarial examples turn out to be quite difficult to avoid and can be easily found by targeted optimization methods such as PCG [30]. We conjecture that it may be a general property or perhaps a weakness of interpolating methods, as some non-interpolating local classification rules can be robust against certain forms of adversarial examples [47]. To substantiate this discussion, we now provide a formal mathematical statement. For simplicity, let us consider a binary classification setting. Let µ be a probability distribution with non-zero density defined on a compact domain ⌦ Rd and assume non-zero label noise everywhere, i.e., for all x ⌦, ⇢ ˆ 2 0 <⌘(x) < 1, or equivalently, P(f ⇤(x) = Y X = x) > 0. Let fn be a consistent interpolating classifier constructed from n iid sampled6 data points| (e.g., the classifier constructed in Section 4.3). 8 Let = x ⌦ : fˆ (x) = f ⇤(x) be the set of points at which fˆ disagrees with the Bayes An { 2 n 6 } n optimal classifier f ⇤; in other words, n is the set of “adversarial examples” for fˆn. Consistency of fˆ A ˆ implies that, with probability one, limn µ( n)=0or, equivalently, limn fn f ⇤ L2 =0. !1 A !1 k � k µ On the other hand, the following result shows that the sets n are asymptotically dense in ⌦, so that there is an adversarial example arbitrarily close to any x. A Theorem 5.1. For any ✏>0 and � (0, 1), there exists N N, such that for all n N, with probability �, every point in ⌦ is within2 distance 2✏ of the set2 . � � An Proof sketch. Let (X1,Y1),...,(Xn,Yn) be the training data used to construct fˆn. Fix a finite ✏-cover of ⌦ with respect to the Euclidean distance. Since fˆn is interpolating and ⌘ is never zero nor one, for every i, there is a non-zero probability (over the outcome of the label Yi) that fˆn(Xi)=Yi = f ⇤(Xi); in this case, the training point Xi is an adversarial example for fˆn. By choosing n = n6 (µ, ✏,�) large enough, we can ensure that with probability at least � over the random draw of the training data, every element of the cover is within distance ✏ of at least one adversarial example, upon which every point in ⌦ is within distance 2✏ (by triangle inequality) of the same. 2 A similar argument for regression shows that while an interpolating ⌘ˆ may converge to ⌘ in Lµ, it is generally impossible for it to converge in L unless there is no label noise. An even more striking result is that for the Hilbert scheme of Devroye1 et al., the regression estimator almost surely does not converge at any fixed point, even for the simple case of a constant function corrupted by label noise [21]. This means that with increasing sample size n, at any given point x misclassification will occur an infinite number of times with probability one. We expect similar behavior to hold for the interpolation schemes presented in this paper. 6 Discussion and connections In this paper, we considered two types of algorithms, one based on simplicial interpolation and another based on interpolation by weighted nearest neighbor schemes. It may be useful to think of nearest neighbor schemes as direct methods, not requiring optimization, while our simplicial scheme is a simple example of an inverse method, using (local) matrix inversion to fit the data. Most popular machine learning methods, such as kernel machines, neural networks, and boosting, are inverse schemes. While nearest neighbor and Nadaraya-Watson methods often show adequate performance, they are rarely best-performing algorithms in practice. We conjecture that the simplicial interpolation scheme may provide insights into the properties of interpolating kernel machines and neural networks. To provide some evidence for this line of thought, we show that in one dimension simplicial in- terpolation is indeed a special case of interpolating kernel machine. We will briefly sketch the argument without going into the details. Consider the space of real-valued functions f with the norm f 2 = (df/dx)2 + 2f 2 dx. This space is a reproducingH kernel Hilbert Space correspond- k kH x z ing to the Laplace kernel e� | � |. It can be seen that as 0 the minimum norm interpolant R ! f ⇤ = arg minf , f(x )=y f is simply linear interpolation between adjacent points on the line. 2H 8i i i k kH Note that this is the same as our simplicial interpolating method. Interestingly, a version of random forests similar to PERT [19] also produces linear interpolation in one dimension (in the limit, when infinitely many trees are sampled). For simplicity assume that we have only two data points x1 9 Acknowledgements We would like to thank Raef Bassily, Luis Rademacher, Sasha Rakhlin, and Yusu Wang for conversa- tions and valuable comments. We acknowledge funding from NSF. DH acknowledges support from NSF grants CCF-1740833 and DMR-1534910. PPM acknowledges support from the Crick-Clay Professorship (CSHL) and H N Mahabala Chair (IITM). This work grew out of discussions origi- nating at the Simons Institute for the Theory of Computing in 2017, and we thank the Institute for the hospitality. PPM and MB thank ICTS (Bangalore) for their hospitality at the 2017 workshop on Statistical Physics Methods in Machine Learning. References [1] Fernando Affentranger and John A Wieacker. On the convex hull of uniform random points in a simpled-polytope. Discrete & Computational Geometry, 6(3):291–305, 1991. [2] Nina Amenta, Dominique Attali, and Olivier Devillers. Complexity of delaunay triangulation for points on lower-dimensional polyhedra. In Proceedings of the Eighteenth Annual ACM-SIAM Symposium on Discrete Algorithms, SODA ’07, pages 1106–1113, 2007. [3] Martin Anthony and Peter L Bartlett. Function learning from interpolation. In Computational Learning Theory: Second European Conference, EUROCOLT 95, Barcelona Spain, March 1995, Proceedings, pages 211–221, 1995. [4] Martin Anthony and Peter L Bartlett. Neural Network Learning: Theoretical Foundations. Cambridge University Press, 1999. [5] Jean-Yves Audibert and Alexandre B Tsybakov. Fast learning rates for plug-in classifiers. The Annals of statistics, 35(2):608–633, 2007. [6] Peter Bartlett, Dylan J Foster, and Matus Telgarsky. Spectrally-normalized margin bounds for neural networks. In NIPS, 2017. [7] Peter L Bartlett, Philip M Long, and Robert C Williamson. Fat-shattering and the learnability of real-valued functions. Journal of Computer and System Sciences, 52(3):434–452, 1996. [8] Raef Bassily, Kobbi Nissim, Adam Smith, Thomas Steinke, Uri Stemmer, and Jonathan Ullman. Algorithmic stability for adaptive data analysis. In Proceedings of the forty-eighth annual ACM symposium on Theory of Computing, pages 1046–1059. ACM, 2016. [9] Frank Bauer, Sergei Pereverzev, and Lorenzo Rosasco. On regularization algorithms in learning theory. Journal of complexity, 23(1):52–72, 2007. [10] Mikhail Belkin, Irina Matveeva, and Partha Niyogi. Regularization and semi-supervised learning on large graphs. In International Conference on Computational Learning Theory, pages 624–638. Springer, 2004. [11] Mikhail Belkin, Daniel Hsu, and Partha Mitra. Overfitting or perfect fitting? risk bounds for classification and regression rules that interpolate. arXiv preprint arXiv:1806.05161, 2018. URL https://arxiv.org/abs/1806.05161. [12] Mikhail Belkin, Siyuan Ma, and Soumik Mandal. To understand deep learning we need to understand kernel learning. In Proceedings of the 35th International Conference on Machine Learning, pages 541–549, 2018. [13] Mikhail Belkin, Alexander Rakhlin, and Alexandre B. Tsybakov. Does data interpolation contradict statistical optimality? arXiv preprint arXiv:1806.09471, 2018. [14] Olivier Bousquet and André Elisseeff. Stability and generalization. J. Mach. Learn. Res., 2: 499–526, March 2002. ISSN 1532-4435. [15] Leo Breiman. Random forests. Machine learning, 45(1):5–32, 2001. [16] Andrea Caponnetto and Ernesto De Vito. Optimal rates for the regularized least-squares algorithm. Foundations of Computational Mathematics, 7(3):331–368, 2007. 10 [17] Kamalika Chaudhuri and Sanjoy Dasgupta. Rates of convergence for nearest neighbor classifi- cation. In Advances in Neural Information Processing Systems, pages 3437–3445, 2014. [18] Thomas Cover and Peter Hart. Nearest neighbor pattern classification. IEEE transactions on information theory, 13(1):21–27, 1967. [19] Adele Cutler and Guohua Zhao. Pert-perfect random tree ensembles. Computing Science and Statistics, 33:490–497, 2001. [20] Scott Davies. Multidimensional triangulation and interpolation for reinforcement learning. In Advances in Neural Information Processing Systems, pages 1005–1011, 1997. [21] Luc Devroye, Laszlo Györfi, and Adam Krzyzak.˙ The hilbert kernel regression estimate. Journal of Multivariate Analysis, 65(2):209–227, 1998. [22] Alhussein Fawzi, Seyed-Mohsen Moosavi-Dezfooli, and Pascal Frossard. Robustness of classifiers: from adversarial to random noise. In Advances in Neural Information Processing Systems, pages 1632–1640, 2016. [23] Komei Fukuda. Polyhedral computation FAQ. Technical report, Swiss Federal Institute of Technology, Lausanne and Zurich, Switzerland, 2004. URL https://www.cs.mcgill.ca/ ~fukuda/download/paper/polyfaq.pdf. [24] Noah Golowich, Alexander Rakhlin, and Ohad Shamir. Size-independent sample complexity of neural networks. In Thirty-First Annual Conference on Learning Theory, 2018. [25] Ian Goodfellow, Yoshua Bengio, and Aaron Courville. Deep Learning. MIT Press, 2016. [26] László Györfi, Michael Kohler, Adam Krzyzak, and Harro Walk. A Distribution-Free Theory of Nonparametric Regression. Springer series in statistics. Springer, 2002. [27] John H Halton. Simplicial multivariable linear interpolation. Technical Report TR91-002, University of North Carolina at Chapel Hill, Department of Computer Science, 1991. [28] Vladimir Koltchinskii and Dmitry Panchenko. Empirical margin distributions and bounding the generalization error of combined classifiers. Annals of Statistics, pages 1–50, 2002. [29] Tengyuan Liang, Tomaso Poggio, Alexander Rakhlin, and James Stokes. Fisher-rao metric, geometry, and complexity of neural networks. arXiv preprint arXiv:1711.01530, 2017. [30] Aleksander Madry, Aleksandar Makelov, Ludwig Schmidt, Dimitris Tsipras, and Adrian Vladu. Towards deep learning models resistant to adversarial attacks. In International Conference on Learning Representations, 2018. [31] Enno Mammen and Alexandre B Tsybakov. Smooth discrimination analysis. The Annals of Statistics, 27(6):1808–1829, 1999. [32] Pascal Massart and Élodie Nédélec. Risk bounds for statistical learning. The Annals of Statistics, 34(5):2326–2366, 2006. [33] Elizbar A Nadaraya. On estimating regression. Theory of Probability & Its Applications, 9(1): 141–142, 1964. [34] Behnam Neyshabur, Srinadh Bhojanapalli, and Nathan Srebro. A PAC-bayesian approach to spectrally-normalized margin bounds for neural networks. In International Conference on Learning Representations, 2018. [35] Ruslan Salakhutdinov. Deep learning tutorial at the Simons Institute, Berkeley, 2017. URL https://simons.berkeley.edu/talks/ruslan-salakhutdinov-01-26-2017-1. [36] Robert E Schapire and Yoav Freund. Boosting: Foundations and algorithms. MIT press, 2012. [37] Robert E Schapire, Yoav Freund, Peter Bartlett, and Wee Sun Lee. Boosting the margin: a new explanation for the effectiveness of voting methods. Ann. Statist., 26(5), 1998. 11 [38] Rolf Schneider. Discrete aspects of stochastic geometry. Handbook of discrete and computa- tional geometry, page 255, 2004. [39] Bernhard Scholkopf and Alexander J Smola. Learning with kernels: support vector machines, regularization, optimization, and beyond. MIT press, 2001. [40] Shai Shalev-Shwartz and Shai Ben-David. Understanding machine learning: From theory to algorithms. Cambridge university press, 2014. [41] Donald Shepard. A two-dimensional interpolation function for irregularly-spaced data. In Proceedings of the 1968 23rd ACM national conference, 1968. [42] Ingo Steinwart and Andreas Christmann. Support vector machines. Springer Science & Business Media, 2008. [43] Jiawei Su, Danilo Vasconcellos Vargas, and Sakurai Kouichi. One pixel attack for fooling deep neural networks. arXiv preprint arXiv:1710.08864, 2017. [44] Christian Szegedy, Wojciech Zaremba, Ilya Sutskever, Joan Bruna, Dumitru Erhan, Ian Good- fellow, and Rob Fergus. Intriguing properties of neural networks. In International Conference on Learning Representations, 2014. [45] Alexander B Tsybakov. Optimal aggregation of classifiers in statistical learning. The Annals of Statistics, 32(1):135–166, 2004. [46] Alexandre B Tsybakov. Introduction to nonparametric estimation. Springer Series in Statistics. Springer, New York, 2009. [47] Yizhen Wang, Somesh Jha, and Kamalika Chaudhuri. Analyzing the robustness of nearest neighbors to adversarial examples. In Proceedings of the 35th International Conference on Machine Learning, pages 5133–5142, 2018. [48] Larry Wasserman. All of statistics. Springer, 2004. [49] Larry Wasserman. All of nonparametric statistics. Springer, 2006. [50] Geoffrey S Watson. Smooth regression analysis. Sankhya:¯ The Indian Journal of Statistics, Series A, pages 359–372, 1964. [51] Abraham J Wyner, Matthew Olson, Justin Bleich, and David Mease. Explaining the success of adaboost and random forests as interpolating classifiers. Journal of Machine Learning Research, 18(48):1–33, 2017. [52] Yuan Yao, Lorenzo Rosasco, and Andrea Caponnetto. On early stopping in gradient descent learning. Constructive Approximation, 26(2):289–315, 2007. [53] Chiyuan Zhang, Samy Bengio, Moritz Hardt, Benjamin Recht, and Oriol Vinyals. Understanding deep learning requires rethinking generalization. In International Conference on Learning Representations, 2017. [54] Xiaojin Zhu, Zoubin Ghahramani, and John D Lafferty. Semi-supervised learning using gaussian fields and harmonic functions. In Proceedings of the 20th International conference on Machine learning (ICML-03), pages 912–919, 2003. 12